Re: [whatwg/fetch] Hide range values from no-cors cross-origin range requests (Issue #1936) from Jake Archibald on 2026-06-25 (public-webapps-github@w3.org from June 2026)

From: Jake Archibald <notifications@github.com>
Date: Thu, 25 Jun 2026 09:43:21 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1936/4802023793@github.com>

jakearchibald left a comment (whatwg/fetch#1936)

The conclusion in WHATNOT was to go with [none of the options](https://github.com/whatwg/fetch/issues/1936#issuecomment-4797544826), and instead, if the request is from media, and no-cors, it skips the service worker.

This means developers must use the `crossorigin` attribute on media elements to make them CORS requests, even if they're same origin.

I'm ok with this, given the security issues, and how hacky the other options were.

I'm curious what Chrome folks think about this.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1936#issuecomment-4802023793
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1936/4802023793@github.com>

Received on Thursday, 25 June 2026 16:43:25 UTC